Утилита lsof

List all Open Files with lsof Command

Sections and it’s values are self-explanatory. However, we’ll review FD & TYPE columns more precisely.

FD – stands for File descriptor and may seen some of the values as:

  • cwd current working directory
  • rtd root directory
  • txt program text (code and data)
  • mem memory-mapped file

Also in FD column numbers like 1u is actual file descriptor and followed by u,r,w of it’s mode as:

  • r for read access.
  • w for write access.
  • u for read and write access.

TYPE – of files and it’s identification.

  • DIR – Directory
  • REG – Regular file
  • CHR – Character special file.
  • FIFO – First In First Out

List User Specific Opened Files

The below command will display the list of all opened files of user uba.

# lsof -u uba
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 17162 uba cwd DIR 253,0 242 96 /
sshd 17162 uba rtd DIR 253,0 242 96 /
sshd 17162 uba txt REG 253,0 853040 17110610 /usr/sbin/sshd
sshd 17162 uba mem REG 253,0 15480 33614436 /usr/lib64/security/pam_lastlog.so
sshd 17162 uba mem REG 253,0 15632 16840218 /usr/lib64/libpam_misc.so.0.82.0
sshd 17162 uba mem REG 253,0 309272 33605135 /usr/lib64/security/pam_systemd.so
sshd 17162 uba mem REG 253,0 19600 33614437 /usr/lib64/security/pam_limits.so

Find Processes running on Specific Port

To find out all the running process of specific port, just use the following command with option -i. The below example will list all running process of port 22.

# lsof -i TCP:22
COMMAND   PID  USER  FD   TYPE  DEVICE   SIZE/OFF  NODE   NAME
sshd     3507  root   3u  IPv4   27109        0t0  TCP    *:ssh (LISTEN)
sshd    17160  root   3u  IPv4 1930572        0t0  TCP    mail:ssh->gateway:48242 (ESTABLISHED)
sshd    17162   uba   3u  IPv4 1930572        0t0  TCP    mail:ssh->gateway:48242 (ESTABLISHED)

List Only IPv4 & IPv6 Open Files

In below example shows only IPv4 and IPv6 network files open with separate commands.

# lsof -i 4
COMMAND   PID    USER  FD   TYPE  DEVICE SIZE/OFF NODE NAME
rsync     3090   root   4u  IPv4   23493      0t0  TCP *:rsync (LISTEN)
chronyd   3249 chrony   1u  IPv4   25647      0t0  UDP localhost:323 
sshd      3507   root   3u  IPv4   27109      0t0  TCP *:ssh (LISTEN)
openvpn   3511 nobody   6u  IPv4   30082      0t0  UDP *:openvpn 
redis-ser 3515  redis   4u  IPv4   27976      0t0  TCP localhost:6379 (LISTEN)
redis-ser 3515  redis   5u  IPv4 1935299      0t0  TCP localhost:6379->localhost:56878 (ESTABLISHED)
redis-ser 3515  redis   6u  IPv4 1935301      0t0  TCP localhost:6379->localhost:56880 (ESTABLISHED)
redis-ser 3515  redis   7u  IPv4 1946266      0t0  TCP localhost:6379->localhost:56886 (ESTABLISHED)
redis-ser 3515  redis   8u  IPv4 1946268      0t0  TCP localhost:6379->localhost:56888 (ESTABLISHED)
nmbd      3520   root  14u  IPv4   28204      0t0  UDP *:netbios-ns
# lsof -i 6

List Open Files of TCP Port ranges 1-1024

To list all the running process of open files of TCP Port ranges from 1-1024.

# lsof -i TCP:1-1024
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsync 3090 root 4u IPv4 23493 0t0 TCP *:rsync (LISTEN)
sshd 3507 root 3u IPv4 27109 0t0 TCP *:ssh (LISTEN)
smbd 3571 root 30u IPv4 30137 0t0 TCP tst.tst-amo.net.ua:microsoft-ds (LISTEN)
smbd 3571 root 31u IPv4 30138 0t0 TCP tst.tst-amo.net.ua:netbios-ssn (LISTEN)
smbd 3571 root 32u IPv4 30139 0t0 TCP mail:microsoft-ds (LISTEN)
smbd 3571 root 33u IPv4 30140 0t0 TCP mail:netbios-ssn (LISTEN)

Exclude User with ‘^’ Character

# lsof -i -u^root
COMMAND     PID      USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
chronyd    3249    chrony    1u  IPv4   25647      0t0  UDP localhost:323 
openvpn    3511    nobody    6u  IPv4   30082      0t0  UDP *:openvpn 
redis-ser  3515     redis    4u  IPv4   27976      0t0  TCP localhost:6379 (LISTEN)
memcached  3522 memcached   26u  IPv4   28032      0t0  TCP localhost:memcache (LISTEN)
icecast    3523   icecast    4u  IPv4   27491      0t0  TCP mail:irdmi (LISTEN)

Find Out who’s Looking What Files and Commands?

Below example shows user uba is using command like ping and /home/uba directory .

# lsof -i -u svm |grep ping
ping 17660 uba cwd DIR 253,2 4096 99 /home/uba
ping 17660 uba rtd DIR 253,0 242 96 /
ping 17660 uba txt REG 253,0 66176 210234 /usr/bin/ping
ping 17660 uba mem REG 253,0 106070960 987152 /usr/lib/locale/locale-archive
List all Network Connections

The following command with option ‘-i’ shows the list of all network connections ‘LISTENING & ESTABLISHED’.

# lsof -i

Search by PID

The below example only shows whose PID is 1 [One].

# lsof -p 1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF   NODE  NAME
systemd   1 root cwd DIR  253,0      242     96  /
systemd   1 root rtd DIR  253,0      242     96  /
systemd   1 root txt REG  253,0  1620416 154627  /usr/lib/systemd/systemd

Kill all Activity of Particular User

Sometimes you may have to kill all the processes for a specific user. Below command will kills all the processes of uba user.

# kill -9 'lsof -t -u uba'

Убить процес пользователя uba ping:

#  lsof -i -u uba |  grep ping
# lsof -p 17660
# kill -9 `lsof -t -p 17660`

10 lsof Command Examples in Linux